[MART] - Daily Diary #351 - Meet Numando, Yet Another Brazilian Banking Trojan

CTAS-MAT ctas-mat at appgate.com
Mon Sep 20 20:34:18 UTC 2021 

Hello,
I hope everyone is doing well!

Below is the entry for today.

09/20/2021 - Diary entry #351

In our Daily Diaries #346, #268 and others we covered a few Brazilian banking trojans. Active since 2018, Numando is another banking malware from Brazil, that was discovered targeting multiple Latin America companies.

Numando works very similar to other Brazilian banking trojan. It's written in Delphi, and after infecting the machine, it stays hidden waiting for the user to log into their Internet Banking. When a connection with a targeted website is started, the malware sends a ping to the C&C server. The attacker then watches the user screen, and uses the trojan to project an overlay screen and lock the user keyboard and mouse, enabling him to transfer the money to a controlled account without the user's knowledge.

An interesting feature of Numando is how it stores its configuration file. Upon execution, it contacts a Pastebin or a Youtube address, where it parses the C&C address from the page content. This malware is mainly distributed through spam e-mails, and their execution involves multiple stage payloads and strong obfuscation techniques, using content hidden inside trusted files and side-loading to load malicious code into trusted applications.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210920/f283cc44/attachment.htm>

More information about the MART mailing list